support ownca certificates

2020-05-21 14:57:00 +02:00 · 2020-05-21 14:57:00 +02:00 · 87e3f3dd39
commit 87e3f3dd39
parent e1f4ba7c1a
4 changed files with 159 additions and 1 deletions
--- a/tasks/common_cert.yml
+++ b/tasks/common_cert.yml
@ -3,6 +3,7 @@
 - set_fact:
    cert_paths:
      csrpath: "{{ basepath + '/' + certname + '.csr' }}"
+      capath: "{{ basepath + '/' + certname + '.ca' }}"
      keypath: "{{ basepath + '/private/' + certname + '.key' }}"
      certpath: "{{ basepath + '/' + certname + '.crt' }}"
      chainpath: "{{ basepath + '/' + certname + '.chain.crt' }}"
--- a/tasks/ownca_cert.yml
+++ b/tasks/ownca_cert.yml
@ -0,0 +1,118 @@
+- include_tasks: common_cert.yml
+
+- set_fact:
+    capath: "{{ cert_backend.basepath }}/{{ cert_backend.name }}"
+- set_fact:
+    cacertpath: "{{ capath }}/ca.crt"
+    cakeypath: "{{ capath }}/ca.key"
+    cacsrpath: "{{ capath }}/ca.csr"
+    casignedpath: "{{ capath }}/signed"
+    remotecrtpath: "{{ capath }}/signed/{{ certname }}.crt"
+    remotecsrpath: "{{ capath }}/signed/{{ certname }}.csr"
+
+- name: slurp csr for {{ certname }}
+  slurp:
+    src: "{{ cert.csrpath }}"
+  register: csrfile
+
+- name: setup ca
+  delegate_to: "{{ cert_backend.remote|default(inventory_hostname, true) }}"
+  block:
+  - name: "setup base path for {{ cert_backend.name }} ({{ certname }})"
+    file:
+      path: "{{ cert_backend.basepath }}"
+      state: directory
+      mode: 755
+      owner: root
+      group: root
+  - name: "setup ca path for {{ cert_backend.name }} ({{ certname }})"
+    file:
+      path: "{{ capath }}"
+      state: directory
+      mode: 0755
+      owner: root
+      group: root
+  - name: "setup ca signed path for {{ cert_backend.name }} ({{ certname }})"
+    file:
+      path: "{{ casignedpath }}"
+      state: directory
+      mode: 0755
+      owner: root
+      group: root
+  - name: "setup ca key {{ cert_backend.name }} ({{ certname }})"
+    openssl_privatekey:
+      path: "{{ cakeypath }}"
+      size: 4096
+      type: RSA
+      mode: 0640
+      owner: root
+      group: root
+  - name: "setup ca csr for {{ cert_backend.name }} ({{ certname }})"
+    openssl_csr:
+      path: "{{ cacsrpath }}"
+      privatekey_path: "{{ cakeypath }}"
+  - name: "self sign ca crt for {{ cert_backend.name }} ({{ certname }})"
+    openssl_certificate:
+      path: "{{ cacertpath }}"
+      privatekey_path: "{{ cakeypath }}"
+      csr_path: "{{ cacsrpath }}"
+      provider: selfsigned
+      selfsigned_not_after: "{{ cert_backend.ca_not_after }}"
+  - name: slurp ca crt for {{ cert_backend.name }} ({{ certname }})"
+    slurp:
+      src: "{{ cacertpath }}"
+    register: cafile
+  - name: "write csr to ca folder ({{ certname }})"
+    copy:
+      content: "{{ csrfile['content'] | b64decode }}"
+      dest: "{{ remotecsrpath }}"
+  - name: "sign certificate for {{ certname }}"
+    register: casignedsign
+    openssl_certificate:
+      path: "{{ remotecrtpath }}"
+      csr_path: "{{ remotecsrpath }}"
+      ownca_path: "{{ cacertpath }}"
+      ownca_privatekey_path: "{{ cakeypath }}"
+      provider: ownca
+      ownca_not_after: "{{ cert_backend.not_after }}"
+  - name: "copy crt from ca for {{ certname }}"
+    slurp:
+      src: "{{ remotecrtpath }}"
+    register: crtfile
+
+- name: "write crt ({{ certname }})"
+  copy:
+    content: "{{ crtfile['content'] | b64decode }}"
+    dest: "{{ cert.certpath }}"
+- name: "write ca ({{ certname }})"
+  copy:
+    content: "{{ cafile['content'] | b64decode }}"
+    dest: "{{ cert.capath }}"
+- name: "generate concatinated versions (chain) for {{ certname }}"
+  shell: "umask 0137; cat {{ cert.certpath }} {{ cert.capath }} > {{ cert.chainpath }}"
+  args:
+    creates: "{{ cert.chainpath }}"
+
+- name: "set permission for concatinated versions (chain) for {{ certname }}"
+  file:
+    path: "{{ cert.chainpath }}"
+    mode: 0644
+    owner: root
+    group: ssl-cert
+
+- name: "generate concatinated versions (full) for {{ certname }}"
+  shell: "umask 0137; cat {{ cert.chainpath }} {{ cert.keypath }} > {{ cert.fullpath }}"
+  args:
+    creates: "{{ cert.fullpath }}"
+
+- name: "set permissions for concatinated versions (full) for {{ certname }}"
+  file:
+    path: "{{ cert.fullpath }}"
+    mode: 0640
+    owner: root
+    group: ssl-cert
+
+- set_fact:
+    certchanged: "{{ casignedsign is changed }}"
+- name: handle postflight
+  include: common_post.yml